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Adversary Threat Tactics are Changing 


Early 2010s 
Zero-day Vulnerabilities 
(Nation State, Industrial Espionage, Black Market) 


Today 
Rapidly weaponizing newly-disclosed vulnerabilities 


(Good, Fast, Cheap - Pick 3) 


Known Critical Vulnerabilities are Increasing 


14-16K vulnerabilities are 
disclosed 2017-2019 


30-40% are ranked as “High” or 
“Critical” severity 


Worm-able Vulnerabilities are и 
increasing (WannaCry, " В Watt 
Blue Keep) ы ===" 2005 2006 ғ” 2008 жж 200 жи ж — 200 дм ж 206 — 207 28 201 


"Mean Time to Weaponize” is 
rapidly decreasing year/year 
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WannaCry 
BlueKeep 


Citrix ADC 
Crypto DLL 


Vulnerability 


Time to Weaponize 


Vuln Disclosure 


March 2017 


May 2019 


Dec 2019 


Jan 2019 


Exploit Date 


May 2017“ 


Nov 2019 


Jan 2020 


27? 


Time 


2 months 


6 months 


1 month 


PPP 


First Exploit Type 


Ransomware 


Cryptominer 


Cryptominer 


PP? 


Get Proactive - Reduce the Attack Surface 


Oo Immediately discover assets and vulnerabilities 


e Patch and verify remediation / stop the instance 


Change configuration to limit unauthorized access 


Control network access / cloud security groups 


Add Endpoint Detection and Response 
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Proactively Hunt, Detect, and Respond 


Indication of 


% 
а % Security Analytics 
| сі (Summer 2020) 
22 
Detect malware, IOCs, ІОА5, ғ SES 
and verify threat intel + Augment SIEMS by finding 


attacks using behavioral 
analytics and MITRE ATT&CK 
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Qualys IOC - Hunt Using Threat Intel 


NotPetya Ransomware spreading using ETERNALBLUE Vulnerability and Credential Stealing 


October 6, 2017 


On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and 
affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files 
with extensions from a hard-coded list. 


Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making 
the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in 
its propagation methods using the ETERNALBLUE vulnerability and credential stealing via a modified 
version of Mimikatz. 


Technical Details 


Anti-Virus Coverage 


VirusTotal reports 0/66 anti-virus vendors have signatures for the credential stealer as of the 
date of this report 


Delivery — MD5: 71b6a493388e7d0b40c83ce903bc6b04 
Installation — MD5: 7e37ab34ecdcc3e77e24522ddfd4852d 
Credential Stealer (new) — MD5: d926e76030f19f1f7ef0b3cd1a4e80f9 


Secondary Actions 
NotPetya leverages multiple propagation methods to spread within an infected network. 


According to malware analysis, NotPetya attempts the lateral movement techniques below: 


€ Threat intelligence lists attack 
information ... 


e Search for the file hash here... 
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Indication of Compromise SHBOARD HUNTING 


Hunting 


Qualys Demo (guays. ad) 


d926e76030F19f1f7efOb3cdl ade80f9 


Last 7 Days Y 


2 


Total Event- 


NO REMAINING FILTERS 
TIME v OBJECT 


a day ago Е svvchost.exe 


svvchost.exe 


ASSET 


WIN2008R2-11566 


WIN7-320860-T44 


Detect Malware Missed by Anti-Virus 


UK Government Contractor : 
- “Big 4” anti-virus installed one sane manteau U 
- Qualys Agent for Vulnerability Mgmt 
- Added Qualys IOC on existing agents 
- 256 hosts 


dione 


Qualys IOC discovered... ee ee eee 
- Dridex Banking Trojan (51) 

- 4 domain controllers infected 
- Backdoors (7) installed due to 


p h i S h i n g Ca m pa i Е n S PE З | MALICIOUS POTENTIALLY UNWANTED APPS - BY HOSTNAME 
- Netcat (8) root kits installed pe 
- 46 PUAs installed 46 
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Demo 


Beyond Endpoint Detection and Response: 
How can | better protect my crown jewels? 


Threat Hunting Assumptions: 

* Every user machine can be compromised - it only takes one click 

* Every Remote Code Execution (RCE) vulnerability can be exploited 

* Local Privilege Escalation and Credential Harvesting to move laterally 
e System misconfigurations are often overlooked and easy to exploit 


* Network segmentation is rarely used internally due to management 


All attacks are not equal: can Adversaries reach my Critical Servers? 
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Adversary Lateral Movements (Attack Paths) 


lower Security Tiers higher 
Б b 
Baa neces J IT System Tier 0 Systems 
User Segments usiness Apps ystems "Crown Jewels" 


eO Find systems in higher 
security tiers by looking for 


Cs existing connections or Cid 
network reconnaissance. 


Laterally move to new system by: 

L] — B - Exploiting open vulnerabilities 
- Take advantage of misconfigurations 

UJE - Use compromised credentials 


@ Bad actor compromises a user 


sends (email prisningwsttellng Laterally move to new system by: 
"i etc.). ГІ hi - Exploiting open vulnerabilities 
шаа - Take advantage of misconfigurations 


- Use compromised credentials 
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Attack Path Discovery (Summer 2020) 


Network Reachability 
Determine connections between hosts using Cloud Agent 
Passive + Active network collection 
Store these connections in a Graph Database for fast query 
+ 


Asset Security Posture 
Remotely Exploitable Vulnerabilities 
System Misconfigurations 3 
Malware, loCs, and Indicators of Activity Э 
© оман 
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Breach Attack & Simulation ~ 


G Search 


IT Mgmt Network 


Users 


DASHBOARD ASSETS NETWORK SCANS CONFIGURATION 


Datacenter 


Corporate Apps 


SWIFT Payment 
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Network Topology 


Q Search 


Y 


o Group Assets by... + 
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HP LaserJet 400 МЕР M425 Postscript 
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Attack Path Discovery 
fOr 
Proactive Threat Hunting 
and Response Priority 
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Indication of Compromise + DASHBOARD INCIDENTS HUNTING ASSETS RULES 


pe 
© 
K 


Hunting 


| X 5ceec909f 3dfc890fdd1e76d6f3cc093465c9d980d68b9987fc3f5eb289b6bd2 Active View v | = 


675K 1-50 of 675335 3 


Total Events 


TIME v OBJECT ASSET SCORE DETAILS 
3 minutes ago # WindowsAzureTelemetryService.exe a WIN10PMIOCA - = 
8:35:03 PM C:\WindowsAzure\GuestAgent_2.7.41491.949_2019-1... 13.64.103.58,10.1.1.10 
TYPE 
file 258k die 2 QualysAgent.exe =8  WINIOPMIOC4 = 
se DEV 8:35:03 PM C:\Program Files\Qualys\QualysAgent\QualysAgent.exe 13.64.103.58,10.1.1.10 
network 19.4K 3 minutes ago P WmiPrvSE.exe H WIN10PMIOC4 о | 
process 3.99K 8:35:03 PM C:\Windows\System32\wbem\WmiPrvSE.exe 13.64.103.58,10.1.1.10 
registry 384K 
3 minutes ago 22; 125.227.22.242 (125-227-22-242.HINET-IP.hi... „s ЕС2АМА?-01М5ҒІВ Lo | 
:34: - Й .31.0.13,13. .83. 
EVENT ACTION 8:34:56 PM TCP CONNECTION - ESTABLISHED by svchost.exe 172.31.0.13,13.233.83.82 
created 642K 3 minutes ago >. 13.82.189.202 : 63733 a EC2AMAZ-Q1M5FIB ü 
established 4.65K 8:34:56 PM TCP CONNECTION - ESTABLISHED by svchost.exe 172.31.0.13,13.233.83.82 
listening 14.7K 
ж M . e В . py 
леко 13.8K 3 minutes ago 42. fe80::281b:10bb:53e0:fff2%7 : 546 аш ЕС2АМА?-01М5ҒІВ ü 
8:34:56 PM UDP CONNECTION - LISTENING by svchost.exe 172.31.0.13,13.233.83.82 
SCORE 3 minutes ago г 64.39.104.103 (qagpublic.qg2.apps.qualys.co... 12  WINIOPMIOC4 
10 14 8:34:49 PM TCP CONNECTION - ESTABLISHED by QualysAgent.exe 13.64.103.58,10.1.1.10 
9 38 
4 Tx 3 minutes ago а 211.247.115.130 : 57533 H WIN10PMIOC4 ü 
E A 8:34:44 PM TCP CONNECTION - ESTABLISHED by svchost.exe 13.64.103.58,10.1.1.10 
5 121 3 minutes ago > 185.209.0.22 : 36585 s WIN10PMIOC4 п 
У 1 тоге 8:34:41 РМ ТСР CONNECTION - ESTABLISHED by svchost.exe 13.64.103.58,10.1.1.10 
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Indication of Compromise + DASHBOARD INCIDENTS HUNTING ASSETS RULES 


pe 
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Hunting 


X. 5ceec909f3dfc890fdd1e76d6f3cc093465c9d980d68b9987fc3f5eb289b6bd2 Active view v | 
5 1-5of 5 


Total Events 


TIME v OBJECT ASSET SCORE DETAILS 
21 hours ago с? 66.85.173.57 (tar.theoutlan.com) : 443 a SHAREPT003 Trickbot 
12:58:21 AM TCP CONNECTION - ESTABLISHED by temp0291.exe 172.31.0.111 Trojan 
TYPE 
file E a day ago B temp0291.exe a SHAREPTO003 H Trickbot 
8:19:31 PM c:\Users\qualys\AppData\Roaming 172.31.0.111 Trojan 
mutex 1 
network 1 a day ago Fi temp0291.exe ag SHAREPT003 п Trickbot 
process 1 3:12:28 PM C:\Users\qualys\AppData\Roaming\temp0291.exe 172.31.0.111 Trojan 
EVENT ACTION a day ago m \BaseNamedObjects\4C3D653494D1128 a SHAREPTO003 Пп Trickbot 
3:02:08 PM temp0291.exe 172.31.0.111 Trojan 
created 2 
established 2 days ago Е temp0291.exe H4 SHAREPT003 в | Trickbot 
running 2 11:18:23 АМ c:\Users\qualys\AppData\Roaming 172.31.0.111 Trojan 
SCORE 
10 1 
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Network 


Group Assets by. 


Topology 


List View 


tlt 


Last 7 days 


Network 


| Actions v fel Ж 


Ж ж > 
À Search 


ss ae HR SHAREPOINT 


SharePoint | 172.31.0.111 
9 New York, NY 


Tags 
ei 17218 201.44 9 
172.16.201.93 Б [мем York і Corporate Apps | HR Apps 


| Share Point I 60 day lastscan 
172.16.201 ө 
= 


o = 
e 


172.16.201.23 7 172.16.201.56 
172.16.201.68 


À INFECTIONS (4 Events) 


ci 16.201 
мел Process: temp0294.exe 


Malware: Trickbot | Risk Score: 9 


+ 
172.16:201.88 
172.16.201.70 


File: WormDllé4 


= Malware: Trickbot | Risk Score: 8 
c cil 


shippinglabelApp HMIMN File: NetworkDIl64 
Malware: Trickbot | Risk Score: 8 


File: ShareDll64 
Malware: Trickbot | Risk Score: 8 


HP LaserJet 400 MFP M425 Postscript 


172.16.201.93 


Site 1 
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Network 


| Actions v fal Ж 


Ж ж > 
À Search 


ss ae HR SHAREPOINT 


SharePoint — 172.31.0.111 
9 New York, NY 


Tags 
[New York [ corporate Apps | HR Apps 


cH 172.14201.44 
172.16.201.93.. *7 


17216201 
vu 


o = 
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172.16.201.23 7 172.16.201.56 
172.16.201.68 
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| Share Point I 60 day lastscan 


А INFECTIONS (4 Events) 


ci 16.201 
мел Process: temp0294.exe 


E Quick Menu v 
172.16:201.88 Malware: Trickbot | Risk Scot 
172.16.201.70 
View Asset Details 
File: WormDII64 Execute a Response 
Malware: Trickbot | Risk S: 
Ci Quarantine Host 
ShippinglabelApp НМЕММ File: NetworkDII64 ч 
Malware: Trickbot | Risk Score: 8 ` 
> 
172.16.201.13 File: ShareDll64 : 
> Malware: Trickbot | Risk Score: 8 
* 
` 
Е 
ы” cal 
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Execute a Response 


The following response will be executed for the selected processes and files on the defined hosts. 


Process (1) 


RISK SCORE PROCESS NAME MALWARE HOST 


temp0291.exe TrickBot SHAREPTO003 


Kill Process Quarantine File 


File Type (3) 


RISK SCORE — FILE NAME MALWARE HOST 


WormbDIl64 (C:\Users\support\AppData\Roaming) TrickBot SHAREPTO003 


NetworkDll64 (C:\Users\support\AppData\Roaming) TrickBot SHAREPT003 


ShareDIl64 (C:\Users\support\AppData\Roaming) TrickBot SHAREPTO003 


E Quarantine File 
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Attack Path Discovery 
to 
Prioritize Patching 
ana 
Improve Security Defenses 
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Vulnerability Remediation Prioritization 


CVSSv2 / CVSSv3 base scores 
Qualys QID Severity score 
Qualys Tagging for Asset Business Criticality 


Qualys Threat Protection Real-Time Indicators 
(based on threat intel and live attacks) 


Qualys VMDR Threat Prioritization 


(Machine Learning model + Contextual Awareness) 


Qualys Attack Path Discovery 
© Qualys 
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Thank You 


Chris Carlson 
ccarlson@qualys.com 


